Security researchers from Kaspersky have uncovered a ransomware campaign called Shrinklocker, whereby attackers misuse the Bitlocker encryption tool integrated into Windows to encrypt their victims’ data and then demand a ransom.
Shrinklocker uses an advanced VBScript to initiate encryption with BitLocker. After starting, the script asks for information about the target system and performs various checks.
The ShrinkLocker ransomware differentiates itself by targeting specific Windows versions using a VBScript that activates BitLocker based on the system detected.
The script can change the size of local system drives, and then intervene in the boot setup and activate the BitLocker service to encrypt the data on the drives. This approach allows it to adapt to both new and legacy systems effectively.
If the script finds conditions that it cannot handle, for example by detecting one of the character strings “XP”, “2000”, “2003” or “Vista” in the name of the operating system, it terminates automatically and deletes itself.
The Shrinklocker script also disables the standard protection devices for backing up the BitLocker key, thus preventing the victim of the attack from recovering the key. It then generates a random password and transmits it to the attacker.
The VB script leaves the attackers’ e-mail address in the name of newly created boot partitions so the victim can contact the hackers for a possible ransom payment. It also covers its tracks by removing created tasks and deleting system logs.
In the end, the target system is shut down and greets the user at the next start with a message indicating that the PC has no more BitLocker recovery options.
As the report noted, while other ransomware programs are compiled and use various tricks to avoid detection, ShrinkLocker does not bother to create complex cryptographic mechanisms or obfuscate its code.
Purely Monetary Motivation
Eduardo Ovalle, digital forensic and incident response group manager at Kaspersky GERT, pointed out the version of the script and the TTPs suggest that this ransomware does not operate as a Ransomware as a Service (RaaS).
“This means the attackers do not need to coordinate or negotiate with providers, giving them the opportunity to keep the entire ransom payment if the affected companies choose to pay,” Ovalle said. “As a note, we always recommend against paying the ransom.”
The main motivator of the attacks was purely monetary. “After the infection, the attacker left his e-mail address as a disk label for contact about the ransom,” Ovalle said.
Evolution of Living off the Land Attacks
Nic Finn, security consultant at GuidePoint Security called Shrinklocker a furtherance of the same “living off the land” techniques actors have been abusing lately, in which they rely on built-in or organizational services and features for their own malicious purposes.
“Some experts have hypothesized about the use of BitLocker as a means of encrypting client data, since exfiltrating then deleting the key makes the data practically gone unless the threat actor provides the key back to the victim,” Finn said.
On the one hand, this could be an effective use case for ransomware operations, Finn said, as it sidesteps the need for a custom encryptor and it evades defenses well. There’s no need to develop, transfer, and execute an encryptor. “Alternatively, destructive threat actors and hacktivists could use this technique without exfiltrating the BitLocker key to effectively wipe target systems with no chance of recovery, unless victims have a secure recovery key storage and backup process for all machines,” he said.
Finn said proactive actions would include developing new hypotheses for novel encryption and exfiltration techniques and testing new detection methods to prevent real-world exploitation.
Recent Articles By Author
GIPHY App Key not set. Please check settings